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DETAILED ACTION 

1 . This is in response to the amendment filed on 03/20/2007. 

2. Claims 1-43 are pending in the application. 

3. Claims 1-43 have been rejected. 

4. The terminal disclosure filed by the applicant to overcome the previous obvious type double 
patenting with the co-pending application No. 10/458,628 is accepted, and subsequently obvious 
type double patenting rejection is withdrawn. 

Response to Arguments 

5. Regarding the previous 35 USC 103 (a) type rejections of claims 1-34, the applicant 
primarily argues that the cited prior arts individually or in combination fail to disclose: 

(a) a network device having ports, switching fabric, and control logic. 

(b) a user policy identifies an access control list. 

The applicant's above arguments are fully considered, and found persuasive, however, they 
are moot in view of new grounds of rejection (please see below). 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the 
rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed in the 
United States before the invention by the applicant for patent or (2) a patent granted on an application for patent by another 
filed in the United States before the invention by the applicant for patent, except that an international application filed under the 
treaty defined in section 351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) of such treaty in the 
English language. 

6. Claims 1-3, 6-7,1 1 ,13-15, 17, 23-25 and 28-29 are rejected under 35 USC 102 (e) as being 
anticipated by Kanuri et al (US 6807, 1 79 B 1 ). 
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Regarding claim 1, Kanuri et al teaches a layer 2 network access device for providing 
network security, comprising: 

a plurality of input ports (Fig 1 9 12.22; Col 3, lines 25-67; multiport switch) 

a switching fabric in the layer 2 network access device for routing data received on said 
plurality of input ports to at least one output port (Fig 1.28; Col 3, lines 25-67; switch fabric; Col 4, 
lines 7-52; layer 2 switch); and 

control logic in the layer 2 network access device (Col 3, line 28 to Col 5, line 65: the switch; 
MAC module; switching (rules) logic) adapted to authenticate a physical address of a user device 
coupled to one of said plurality of input ports (Col 3, line 28 to Col 5, line 65; matching MAC 
addresses), to authenticate user information provided by a user of said user device only if said 
physical address is valid (Col 3, line 54 to Col 4, line 34; Col 5, lines 10-65; user, or network nodes' 
attributes/ policies/ information; user defined policies/ attributes; authenticating VLAN field/ index/ 
information, and MAC addresses specific to user/ network node/ data frame), and to restrict access 
to said one of said plurality of input ports in accordance with a user policy associated with said user 
information only if said user information is valid (Fig 2:40; associated port, MAC and VLAN 
information; Fig 3, step 70-106; Col 5, lines 43-60; if in step 74 the switching rules logic determined 
a match between MAC . . .VLAN index. . . .(then) checks in step 76 whether port . . . ; the examiner 
interprets switching "rules" logic as policy; port filtering ). 

Regarding claim 13, Kanuri et al teaches a method for providing network security, 
comprising: 
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authenticating in a laver 2 network access device a physical address of a user device coupled 
to a port of a the network access device (Fig 2:40; associated port, MAC and VLAN information; 
Col 3, line 28 to Col 5, line 65; matching MAC addresses); 

authenticating user information provided by a user of said user device to the network access 
device only if said physical address is valid (Col 3, line 54 to Col 4, line 34; Col 5, lines 10-65; user 
or network nodes' attributes/ policies/ information; user defined policies/ attributes; authenticating 
VLAN field/ index/ information, and MAC addresses specific to user/ network node/ data frame); 
and 

restricting access to said port in accordance with a user policy associated with said user 
information only if said user information is valid (Fig 2:40; associated port, MAC and VLAN 
information; Fig 3, step 70-106; Col 5, lines 43-60; if in step 74 the switching rules logic determined 
a match between MAC . . . VLAN index . . . .(then) checks in step 76 whether port . . . ; the examiner 
interprets switching "rules" logic as policy; port filtering). 

t 

Regarding claim 23, Kanuri et al teaches network system, comprising: 

a data communications network (Fig 1; Col 3, line 27 to Col 4, line 50; communication 
between network nodes/ stations/ devices); 

a layer2 network access device coupled to said data communications network (Fig 1.28; Col 
3, lines 25-67; switch fabric; Col 4, lines 7-52; layer 2 switch); and 

a user device coupled to a port of said network access device (Col 3, line 54 to Col 4, line 34; 
user, or network nodes' attributes/ policies/ information); 
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wherein said network access device is adapted to authenticate a physical address of said user 
device (Col 3, line 28 to Col 5, line 65; matching MAC addresses), to authenticate user information 
provided by a user of said user device only if said physical address is valid (Col 3, line 54 to Col 4, 
line 34; Col 5, lines 10-65; user, or network nodes; user defined policies/ attributes; authenticating 
VLAN field/ index/ information, and MAC addresses specific to user/ network node/ data frame), 
and to restrict access to said port in accordance with a user policy associated with said user 
information only if said user information is valid (Fig 3, step 70-106; Col 5, lines 43-60; if in step 74 
the switching rules logic determined a match between MAC. . .VLAN index. . . .(then) checks in step 
76 whether port . . . ; the examiner interprets switching "rules" logic as policy). 

Regarding claim 2, Kanuri et al teaches the network access device of claim 1 , wherein said 
physical address comprises a Media Access Control (MAC) address (Col 5, starts at line 23; MAC 
address). 

Regarding claim 3, Kanuri et al teaches the network access device of claim 1 , wherein said 
control logic is adapted to authenticate said user information in accordance with an IEEE 802. lx 
protocol (Col 3, starting at line 36: IEEE 802.3). 

Regarding claim 6, Kanuri et al teaches the network access device of claim 1 , wherein said 
user policy identifies a Media Access Control (MAC) address filter (Fig 2.40, 2.42; Col 5, starting at 
line 41; address table including MAC/ VLAN/ Port information; matching MAC addresses) . 
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Regarding claim 7, Kanuri et al teaches the network access device of claim 1 , wherein said 
user policy includes a Media Access Control (MAC) address filter (Fig 2.40, 2.42; Col 5, starting at 
line 41 ; address table including MAC/ VLAN/ Port information; matching MAC addresses). 

Regarding claim 11, Kanuri et al teaches the network access device of claim 1 , wherein said 
control logic is further adapted to assign said one of said plurality of input ports to a virtual local 
area network (ULAN) associated with said user information if said user information is valid (Col 5, 
starting at line 25; matching VLAN information). 

Regarding claims 14-15, 17, 24-25, 28-29, they recite the limitations of claims 1-3, 6-7, 
therefore, they are rejected applying as above rejecting claims 1-3 and 6-7. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections 
set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of 
this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a 
whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject 
matter pertains. Patentability shall not be negatived by the manner in which the invention was made. 

7. Claims 4-5, 16, 26 and 27 are rejected under 35 USC 103 (a) as being unpatentable over Kanuri 
et al (US 6807, 1 79 B 1 ) in view of Mate et al (US 7028098 B2). 

Regarding claim 4, Kanuri et al fails to disclose network access device wherein said user 
policy identifies an access control list. 



j 
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However, Mate et al discloses network access device wherein said user policy identifies an 
access control list (Col 5, starts at line 60; Col 10, starts at line 45; policy; ACL). 

Mate et al and Kanuri et al are analogous art because they are from the same field of 
endeavor of secure network communication. At the time of invention, it will be obvious to a person 
of ordinary skill in the art to combine the teachings of Mate et al with Kanuri to design an apparatus 
wherein user policy identifies an access control list to facilitate a managed packet filtering based on 
port or flow information. 

Regarding claim 5, Kanuri et al fails to disclose the network access device wherein said user 
policy includes an access control list (Col 5, starts at line 60; Col 10, starts at line 45; policy 
..including ACL). 

Regarding claims 16, 26 and 27, they recite the limitations of claims 4 and 5, therefore, they 
are rejected applying as above rejecting claims 4 and 5. 

8. Claims 8-10, 18-22, 31-34 are rejected under 35 USC 103 (a) as being unpatentable over 
Kanuri et al (US 6807,179 Bl) in view of See et al (US6874090 B2). 

Regarding claim 8, Kanuri et al fails to teach the network access device of claim 1, wherein 
said control logic is adapted to send said user information to an authentication server and to receive 
an accept message from said authentication server if said user information is valid. 
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However, See et al teaches control logic is adapted to send said user information to an 
authentication server and to receive an accept message from said authentication server if said user 
information is valid ( Col 6, starting at line 32; Col 10, starting at line 10; claims 25-27; 
authentication information including VLAN identifier; user identification information). 

Mate et al and See et al are analogous art because they are from the same field of endeavor 
of secure network communication. At the time of invention, it will be obvious to a person of 
ordinary skill in the art to combine the teachings of See et al with Kanuri to design an apparatus 
further including an authentication server in order to facilitate proper VLAN authentication. 

Regarding claim 9, Kanuri et al fails to teach the network access device of claim 8, wherein 
said authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) 
server. 

However, See et al teaches wherein said authentication server comprises a Remote 
Authentication Dial-In User Service (RADIUS) server (Col 10, starting at line 10; claims 25-27). 

Regarding claim 10, See et al teaches wherein said accept message includes said user policy 
(Col 1, starting at line 56). 

Regarding claim 12, See et al teaches the network access device of claim 1 1 , wherein said 
control logic is adapted to receive a message from an authentication server, wherein said message 
comprises a VLAN identifier (ID) associated with said user information, and to assign said one of 

» 

said plurality of input ports to a ULAN associated with said VLAN ID (Col 6, starting at line 32; Col 
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10, starting at line 10; claims 25-27; VLAN identifier; user identification information; authentication 
server, information). 

Regarding claims 18-22, 31-34, they recite the limitations of claims 9-10 and 12, therefore, 
they are rejected applying as above rejecting claims 9-10 and 12. 

9. Claims 38-43 are rejected under 35 USC 103 (a) as being unpatentable over Kanuri et al (US 
6807,179 Bl) in view of See et al (US 6874090 B2) further in view of Vobano (US 7188364 B2). 

Regarding claims 38, 40 and 42, Kanuri et al teaches an apparatus/ method/ system for providing 
network security, comprising: 

A data communication network (Col 3, starts at line 26; network packets); 

A network access device coupled to said data communication network (Col 3, starts at line 26; 

switch enabling communication); 

a plurality of input ports (Figl, 12.22; Col 3, lines 25-67; multiport switch); 
a switching fabric for routing data received on said plurality of input ports to at least one 
output port (Fig 1 .28; Col 3, lines 25-67; switch fabric; Col 4, lines 7-52; layer 2 switch); and 
control logic adapted to: 

authenticate a physical address of a user device coupled to one of said plurality of input 

ports (Col 3, line 28 to Col 5, line 65: the switch; MAC module; switching (rules) logic; 
matching MAC addresses); 

authenticate user information provided by a user of said user device only if said physical 
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address is valid (Col 3, line 54 to Col 4, line 34; Col 5, lines 10-65; user or network nodes' 
attributes/ policies/ information; user defined policies/ attributes; authenticating VLAN field/ index/ 
information, and MAC addresses specific to user/ network node/ data frame); 
if authentication of user information indicates said user information is valid, determine whether 

said user is associated with a VLAN supported by said apparatus, wherein said message 
comprises a VLAN identifier (ID) 

associated with said user information (Col 5, lines 1-65; determining/ matching VLAN 
index/ information); 

if said user is associated with said VLAN, 

assign said one of said plurality of ports to said VLAN associated with said user (Col 5, lines 
1-20; Col 6, lines 1-40; switching logic assigning/ selecting ports); 

if said user is not associated with said VLAN, 

assign said one of said plurality of input ports to a port default VLAN (Col 5, lines 1-20; Col 
6, lines 1-40; switching logic assigning/ selecting ports); and 

restrict access to said one of said plurality of input ports in accordance with a user policy 
associated with said user information (Fig 2:40; associated port, MAC and VLAN information; Fig 
3, step 70-106; Col 5, lines 43-60; if in step 74 the switching rules logic determined a match between 
MAC . . .VLAN index . . . .(then) checks in step 76 whether port . . . ; the examiner interprets switching 
"rules" logic as policy; port filtering). 

Kanuri et al fails to disclose expressly 

drop packets from said user device if said physical address is invalid; 

* 

if authentication of said user information indicates said user information is invalid, block all 
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traffic on said one of said plurality of input ports except for packets related to a user 
authentication protocol; 

receiving a message from an authentication server, wherein said message comprises a VLAN 
identifier (ID) associated with said user information; 
if said user is not associated with said VLAN, 

block all traffic on said one of said plurality of input ports except for packets related to said 
user authentication protocol. 

However, See et al discloses 

drop packets from said user device if said physical address is invalid (Col 6, starting at line 
32; filtering/ dropping packets based on MAC/ VLAN identifier) ; 

receiving a message from an authentication server, wherein said message comprises a VLAN 
identifier (ID) associated with said user information ( Col 6, starting at line 32; Col 10, starting at 
line 10; claims 25-27; authentication information including VLAN identifier; user identification 
information); 

* 

Modified See at al - Kanuri et al apparatus/ method/ system fails to disclose 

if authentication of said user information indicates said user information is invalid, 
block all traffic on said one of said plurality of input ports except for packets related to a user 
authentication protocol. 

if said user is not associated with said VLAN, 

block all traffic on said one of said plurality of input ports except for packets related to said 
user authentication protocol. 

However, Volpano discloses 
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if authentication of said user information indicates said user information is invalid, block all 
traffic on said one of said plurality of input ports except for packets related to a user 
authentication protocol (Col 5, starting at line 30; control frames; EAPOL); 

if said user is not associated with said VLAN, 

block all traffic on said one of said plurality of input ports except for packets related to said 
user authentication protocol (Col 5, starting at line 30; control frames; EAPOL). 

Volpano and Kanuri et al are analogous art because they are from the same field of 
endeavor of VLAN utilizing bridges/ switches. At the time of invention, it will be obvious to a 
person of ordinary skill in the art to combine the teachings of modified See at al - Kanuri et al 
apparatus/ method/ system with Volpano to design an apparatus further adapted to drop/ filter 
packets by authenticating utilizing an authentication server, authentication protocol message 
containing VLAN identifier in order to provide a proper VLAN packet filtering. 

Regarding claims 39, 41 and 43, Kanuri et al discloses wherein said network access device 
comprises a layer 2 network access device (Col 3, starts at line 27; the multiport switch enabling 
communication of layer 2 type data packets; layer 2 switch). 

Conclusion 

10. THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the 
extension of time policy as set forth in 37 CFR 1.136(a). 



« 
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■ 

A shortened statutory period for response to this action is set to expire in 3 (Three) months 
and 0 (Zero) days from the mailing date of this letter. Failure to respond within the period for 
response will result in ABANDOMENT of the application (see 35 U.S.C 133, M.P.E.P 710.02(b)). 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Shanto M Z Abedin whose telephone number is 571-272-355 1 . The examiner 

4 

can normally be reached on M-F from 9:00 AM to 5:30 PM. If attempts to reach the examiner by 
telephone are unsuccessful, the examiner's supervisor, Moazzami Nasser, can be reached on 571 - 
272-4195. The fax phone number for the organization where this application or proceeding is 
assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, 
contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Shanto MZ Abedin 



Examiner, AU 2136 
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SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 




